McAfee throws some FUD at the GPL
SATURDAY the sky was a sullen violet overcast at dawn, spitting volleys of rain onto the patio roof. Intermittant wind gusts ruffled the laurel hedge out back and swayed the limbs of the big fir tree in the neighbor's back yard. A few of the cats ventured out but soon retreated back indoors to get out of the cold winter storm that had swept up the Pacific coast from San Francisco overnight.
In the chill morning dark, quiet except for the sounds of wind and rain outside, it seemed only fitting to happen upon the news of yet more FUD manure thrown at open source software by a vassal of the Volish empire, against its own interests.
* * *
In its annual report, Windows security software vendor McAfee told its investors that open source software licence terms it vaguely characterised as " ambiguous" might "result in unanticipated obligations regarding our products."
"To the extent that we use 'open source' software, we face risks," McAfee stated.
McAfee explained: "Use of GPL software could subject certain portions of our proprietary software to the GPL requirements, which may have adverse effects on our sales of the products incorporating any such software."
That statement says several things. First, it reveals that McAfee does use at least some open source software derived code in its products. Second, it betrays that McAfee has misappropriated that open source software and thus is committing copyright infringement, because it doesn't distribute that open source software derivative source code. Third, by calling its products that include open source software code "proprietary", McAfee shows that it really doesn't want to shoulder its GPL licence obligations, but instead wants to both have its cake and eat it too.
The company might have more honestly admitted that, to the extent it might have been abusing open source software by ignoring its licence requirements, it might have to distribute its modified open source software source code to its customers, or at least make it easily available to any customers who might want to obtain it.
That is all that the GPL requires. It explicitly permits that products that use GPL licenced software may be sold, subject only to the requirement that the source code to components that are GPL licenced must be distributed or made available.
Merely including both proprietary and open source software in the same package or on the same distribution media doesn't transfer GPL requirements from open source components to proprietary components. McAfee ought to consult with the Free Software Foundation if its management and attorneys are not well versed in the accepted methods for keeping proprietary and open source software separate while still allowing them to work together. The FSF will be glad to help them out.
Even if it were to publish all of the source code for, let's say, its antivirus product, McAfee would certainly be able to keep its virus signatures database proprietary and confidential. That's data not code, so it couldn't be subject to GPL disclosure. McAfee's antivirus product's marketability wouldn't be diminished in the least and end-users would still need update subscriptions even if they had the software free.
After all, the long term end-user value of any antivirus product is in the ongoing malware detection and research performed by the vendor, not in the executable module scanning and signature database matching software machinery by itself.
Of course, McAfee might simply be mortified at the thought of having competent customer programmers viewing its software source code. That might be poorly designed and structured, embarrassingly kludgey, or riddled with clumsy coding, and so on. It might even have glaring design loopholes that could be exploited by malware authors if they became widely known. Then again, one doesn't really need source code to find design flaws, given some sophisticated debugging tools.
Perhaps McAfee believes in "security by obscurity" and that's the reason it doesn't want to reveal its modified open source code. But it, and all of the other Windows security software vendors, should know better. After all, that's been Microsoft's approach within Windows itself, and it's been proven to be totally ineffective. The Windows security software vendors only have demand for their products because the Vole's whole "security by obscurity" approach has failed and continues to fail.
Besides, properly designed security software can't be defeated simply by knowing exactly how it works. Well designed security routines have checks that malware code can neither satisfy nor avoid, authorisation tests it can't pass, and function, memory and file protections it can't evade to reach sensitive resources, and so on. There's exemplary open source software that is quite highly secure despite being entirely open for anyone to read. OpenBSD is only one example of several.
However, even if one or more of these is the case, that doesn't excuse continuing GPL violations. The only possible GPL violation cures are to either distribute the derivative open source code or recode the functions in a clean room environment. That, or completely redesign and rewrite the application... entirely from scratch.
If McAfee didn't like the GPL or want to abide by its licence terms, it should have written its own blasted software rather than stealing code from the open source community in violation of the GPL and the US Copyright Act. It's far too late now.
There's nothing at all "ambiguous" about the terms of the GPL, either. Contrary to McAfee's snide, scurrilous suggestion, the GPL is a simple, straightforward software licence with no confusing or onerous terms. Compared to the McAfee EULA -- or especially a Microsoft EULA -- the GPL is a veritable model of simple software licence clarity.
McAfee also feigned to be "troubled" that the terms of the GPL have never been tested in court, supposedly. Well, that's simply false. The GPL has been upheld in a German court of law, under the Berne Convention that conformed international copyright protection, to which the US is a signatory since 1988, and which is now under the auspices of the UN World Intellectual Property Organisation (WIPO).
The only reason that the GPL has never been "tested" in a US court of law is that every potential defendant in a copyright infringement lawsuit based upon the GPL has chosen to settle out of court rather than risk losing in court.
The US Copyright Act provides for statutory damages of up to $180,000 for each and every instance of willful copyright infringement.
Before it further disparages the GPL, McAfee should contemplate paying multiple authors of open source software licenced under the GPL $180,000 for each copy of its unlicenced and therefore copyright infringing products it ever shipped. One suspects that not even Microsoft has that much money, and certainly not McAfee.
Also, how can McAfee pretend that the redistribution obligations relating to open source software that are so clearly stated in the GPL were "unanticipated" by it?
That claim is tantamount to the admission that McAfee had previously assumed that it could get away with violating the GPL with impunity. Either that, or it's an admission by McAfee's executive management of their utterly gross incompetence at directing and managing a legally responsible software development enterprise.
These few statements in its annual report, taken at face value, can't be viewed as encouraging for investor confidence in McAfee's executive management team or future business prospects. Indeed, should McAfee's stock decline in market value, it's not unimaginable that these statements could come to be cited as evidence of mismanagement in stockholder lawsuits. Under Sarbanes-Oxley, executives might even be held personally liable for causing the corporation to incur legal liabilities. Having disclosed bad management after the fact might not get them off the hook.
On the other hand, open source software developers whose source code McAfee might have misappropriated aren't likely to sue the company for damages. That's not the point of the GPL, which merely requires that those developers who modify and redistribute open source software also return those derivative works into the open source software development community. GPL compliance is the objective, not monetary gain, and fortunately for all, compliance is almost always possible.
But McAfee probably knows all of this. So what was the point of the FUD attack?
One can only speculate, but it's obvious that all of the Windows security software vendors like McAfee are totally dependent upon Microsoft's dominant Windows OS marketshare for their very existence. Apple Mac and Linux systems aren't nearly as vulnerable to malware as Windows, which by its very design practically invites infestations of all sorts, the whole menagerie -- viruses, adware, spyware, trojans, worms and bots. Without the Vole's Windows monopoly to provide their customer base, parasitic Windows security vendors like McAfee could not stay in business long. There's a powerful motive for McAfee to denigrate open source.
Linux users don't buy antivirus software because Linux isn't anywhere nearly as insecure as Windows, by orders of magnitude. It just isn't needed to run Linux.
Perhaps McAfee is afraid that Linux desktop penetration is heading up, which it is, and wants to do whatever it can to slow its takeup, especially in corporations.
That does seem possible, even plausible, but if that's the case, McAfee is failing to appreciate the direction from which the worst threat to its future viability is most likely to come. Growing uptake of desktop Linux won't kill off McAfee's business.
Long before Linux makes big inroads on the desktop, Microsoft will have escaped from federal antitrust oversight. Then the Vole will bundle security functions into Windows and staff its own malware research lab, putting McAfee out of business.
Or perhaps McAfee will offer software that does something actually productive, instead of living as a mere parasite of the Vole, a remora on the Windows shark.
* * *
It's later Saturday morning and the wind's died down. The cats are sauntering out again to patrol the soggy grounds under a bright grey, featureless overcast sky. µ
L'INQ
InformationWeek
Share this:
Business Intelligence Software
Customer Relationship Management (CRM)
Enterprise Accounting Software
Enterprise Resource Planning (ERP)
Enterprise Systems Management
The GPL is slightly more restrictive with commercial code than your article makes out. Compiling in a GPL licensed static library certainly violates the GPL unless you release all of your source code, and it is generally thought that this also applies to dynamic linking.

Take the GPL licensed FFTW for example ( www.fftw.org ). They also offer non-free licenses and state in their FAQ that:

The non-free licenses are for companies that wish to use FFTW in their products but are unwilling to release their software under the GPL (which would require them to release source code and allow free redistribution). Such users can purchase an unlimited-use license from MIT. Contact us for more details.

We could instead have released FFTW under the LGPL, or even disallowed non-Free usage. Suffice it to say, however, that MIT owns the copyright to FFTW and they only let us GPL it because we convinced them that it would neither affect their licensing revenue nor irritate existing licensees.

----

Clearly the GPL has been chosen over the LGPL as it does force complete source code disclosure whereas the LGPL with dynamically linked libraries certainly does not.
Wow! Nice article man! It almost made me cry there! Wow, yea, I agree totally, these big corporations re just evil. It takes too much effort to be creative, too much money to spend which would lower the profit, so why not take what's already done and proven solid - open source. Why not, after all, who cares about all the geeks sweating over their keyboards and offering the fruits of their effort to the world to benefit. 
It's expensive to be M$, or any big corporation. All those private jets and waste on luxury, leave very little left to invest in actual coding effort. So why not take what you need from where it's free, get the job done. Who's gonna ever know? Not like anybody will have access to the source code to reveal the profanity. In the end you can smile from above the silly crowd and call yourself innovative. Innovative. Hmm, somehow these words immediately make me think of the worse, a guy with dorky glasses, semi mature voice, half of a man, but what a tyrant. "I love this company!"
There is another problem for all the anti-virus companies. Many people are discovering that by keeping up to date with patches and NOT visiting risky web sites they just don't need virus checking software at all. If there is a major move towards web services such as provided by Google, where the hosting company protects the users, the demand for anti-virus protection will drop even lower.


Then there is always the possibility that Microsoft will write an operating system that leaks more than a sieve.
I don't know about the other products, but I am all too familiar with their Network IPS product - IntruShield. It uses a number of open-source tools, TomCat, MySQL, etc., etc., so it's interesting to see that they would say this.

Ken
McAfee does have Linux products. One well known hosting firm has the following options for linux systems.

McAfee LinuxShield Anti-Virus
McAfee Total Protection - Linux
The GPL appears to have thrown a wrench into a long standing and perfectly sensible practice of programmers seeking not to re-invent the wheel. While I do not begrudge the GPL or the programmers who assume it, the skeptic in me has to wonder if every line of GPL -covered code is itself completely original work. Could the FUD attack be based on this thought?

There is no excuse for anybody - particularly a large company with huge resources such as McAfee - to use GPL projects as their code libraries. But what if any of that GPL code is based on unprotected work?

Meanwhile, McAfee is not reliant on Microsoft's dominance at all. Like any other threat management software and/or appliance vendor, McAfee is reliant solely on the well-deserved fears of a populace that is perpetually barraged with exploit attempts of every imaginable kind. And since the advent of SOX policies, not only is threat management important for home users, it is crucial for businesses.

It only takes subscriptions to a few emailed security advisories such as US-CERT's Cyber Security Alerts, SecurityFocus' Bugtraq or HNS' newsletter to discover the fallacious nature of statements like "Apple Mac and Linux systems aren't nearly as vulnerable to malware as Windows". In fact TheInq's recently announced favorite Linux flavor - Ubuntu - is ridiculously over-represented in those bulletins, more so than any other flavor of Linux and more than any other OS altogether. I understand you have a trademark anti-Microsoft image to maintain, but please try not to promote that image at the expense of reality.

I worry even more when I see statements like "Linux users don't buy antivirus software because [...] (it) just isn't needed to run Linux."

This is dangerous thinking. Not tremendously dangerous right now in the grand scheme of things, although you might come across lots of Solaris admins and DNS folks that belong to the "once burned twice shy" club and may feel differently. With a strong firewall and prompt attention to security alerts you can probably avoid most of the threats out there, but heaven help you when some zero-day threat does find its way to you, or vice-versa.

Two thoughts to leave you with. First, the platform itself has a shrinking target profile as hackers have been giving increasing attention to applications, shared code and plug-ins. Second, the hacker motive model is increasingly profit -based, which means that the relative sanctity of OS-X and Linux is an increasingly precarious position as the popularity of these platforms make them worth the investment in hackers' attention.

As long as bored socially inept twits can derive deviant pleasure from hacking, and as long as capitalist thieves can profit from hacking in nearly perfect safety and anonymity, every owner of every computer unless perhaps they're running something completely off the radar (OS/2 anybody?), must be vigilant. Just because Jobs' mob made your 'puter or your OS is being tended to 24x7 by pimply socialist wannabees is no reason to think your resources are impenetrable.

Safe computing,
-Brad
"The GPL appears to have thrown a wrench into a long standing and perfectly sensible practice of programmers seeking not to re-invent the wheel."

I think you're trying to utter a statement that sounds like an indictment of the GPL while hoping to deflect argument by insuring that you don't make any sense.

The practice of programmers seeking to re-use code is indeed long standing and perfectly sensible, but the GPL in no way interferes with it. Of course, the GPL has indeed thrown a wrench into some long standing practices, but code re-use is not found among them.

What the GPL and its ilk have done is to make some additional code available for re-use, at a novel and unique cost that some potential re-users can bear and others consider uneconomical. You fail to describe why this should be a problem for anybody.

"...the skeptic in me has to wonder if every line of GPL -covered code is itself completely original work."

This is another statement that sounds like damnation but is crafted to be empty of any testable substance. I might with equal justification wonder if you strip to your bra and panties at the keyboard.

All GPL-covered code is claimed to be copyrighted by its submitter, and all GPL-covered code is publicly available for inspection. No person of any sense would expect to find stolen code in such an environment. Indeed, no one ever has.

It may be the skeptic in you that compels you to such wonder, but it can only be the liar in you that inspires you to give it voice.

The first two statements of your post being utter tripe, I have concluded that the remainder is not worth reading.

-Wang-Lo.
It is of course wrong to use GPL licensed software for closed source. But it is makes perfect sense for a company not to release all its products under GPL, they wouldn't make profit. They have most likely spent millions a lot on development. Remember that people who work on open source usually work on commercial software as well to get their bills paid.
"Apple Mac and Linux systems aren't nearly as vulnerable to malware as Windows, which by its very design practically invites infestations of all sorts, the whole menagerie -- viruses, adware, spyware, trojans, worms and bots. Without the Vole's Windows monopoly to provide their customer base, parasitic Windows security vendors like McAfee could not stay in business long. There's a powerful motive for McAfee to denigrate open source."

Crack. Crack. rattle. you sounds like a very old 12" record. let´s login as root, in *nix, like you appearently still do in windows(admin account). Wake up call: ever since NT 3.51 (ooh like since 15 years or so) there is security in windows. If you choose to not use it than that´s your problem. not M$´s.

"Linux users don't buy antivirus software because Linux isn't anywhere nearly as insecure as Windows, by orders of magnitude. It just isn't needed to run Linux."

Yawn. 1 word (ok it´s 2) : "market penetration" if *nix was a big target like Windows, they would. It still ain´t.
that´s the real reason. you know it. I know it, and everyone else (when they are really honest) knows it to.

@GPL Restrictions:
The GPL may be more restrictive with commercial code but this is the point of it. Dynamic linking also requires that you give offer of the source of the dynamically linked library, for instance, and method to replace it. On the other hand, the GPL is explicit and a lot of these firms have decided that they want to have their cake (By not paying for the code) and eat it, (by not releasing what they should under GPL) effectively breaking copyright.

W.R.T. FFTW, that's up to the people who own the copyright to the project. MySQL also do this. (Ken, take note)

@ Source of Ire...
No, the GPL "has not thrown a wrench into a long standing and perfectly sensible practice of programmers seeking not to reinvent the wheel". 

How about proprietary libraries? How many of them do you get to borrow and stick in your final code without paying for them? It's no different. The effective payment is release of the relevant pieces of code in the proper manner...

You have the terms and conditions of use, it's your own fault if you don't read and follow them.
They are just desperate. 
Since I switched to Linux, I don't need to a fresh install every 2 months. And I used Kaspersky when I was a Win user.
If they don't want to adhere to the license, they can just simply not use GPL'd code.

The FSF would be very happy to discuss this with them.
The article seems to jump to conclusions. 

It' snot because some commercial entity is looking into possible problems that might have happened and might lead to problems that they have willingly violated copyright. Nor does it mean that they are playing political games. 

It merely means they are (forced to) disclose knowledge of possible problems under investigation
"Or perhaps McAfee will offer software that does something actually productive, instead of living as a mere parasite of the Vole"

You should probably add "offering a product that actually works" to the list.

McAfee and Symantec have been putting out junk product for a couple of years now. They are virtually useless against modern malware, particularly in the spyware/adware category.
This article takes a minor, lawyerly, note to stockholders and builds it into an admission of copyright infringement, with no logic whatever.

The author does not have any information to offer about what open-source software McAffee uses, if any, or how it uses it, but assumes that it must be breaking the license rules or it wouldn't bother with the warning.

The point of the warning is that they aren't sure what the rules are, because nobody is. Suppose, for instance, that their Linux products contain a loadable kernel module, say designed to work with the Linux Security Module interface. [NOTE - I have no specific knowledge of whether they use LSM or ship kernel modules, it's just an example.] Some people think that's a derivative work, some people don't. The applicable case law is mixed.

There are real areas of ambiguity in the license and the court cases around the GPL have generally addressed very narrow, specific issues. It's not even clear whether courts will read the license as a contract or a license - recent decisions have gone both ways.

And, finally, the author's suggested rationale for why McAffee would disparage open source makes no sense, either. They're spending significant amounts on building products for Linux systems; why would they then go out of their way to push people away from Linux. Besides which, the statement is in their annual report - it's a message to stockholders, not to customers.

Reading this as FUD, rather than as some lawyer's notion of fiduciary responsibility, is simply unsupported.
As I see it, if you spend the time and effort writing code then you want to be paid for it. If you adopt a 'proprietary' licensing model, then you get paid in cash. If you adopt the GPL, you get paid in code. If someone values your code enough to incorporate it into their own code rather than rewriting that code themselves, then they have to pay you. With the GPL, however, they don't just pay you, they pay everyone. If you don't like the licence, don't use the code. 
But don't expect to use the code and not pay for it.
$180,000 for every instance of violation ?
Multiplied by McAffee's customer base ?
With the face of the CEO at the next shareholder meeting, trying to explain why he thought it was a good thing to try a FUD campaign against GPL when rabid dogs like SCO have gone bankrupt for doing just that ?
Excuse me while I froth at the mouth in anticipation.
'That's data not code, so it couldn't be subject to GPL disclosure. McAfee's antivirus product's marketability wouldn't be diminished in the least and end-users would still need update subscriptions even if they had the software free.'

Except that I could modify the source code of the client to pull virus definitions from an alternate location, and make this new version freely available. Then, I could simply pull the virus definitions off the official site, throw them on the alternate locale, and boom... the value of the software and service immediatley becomes $0. 
If I'm McAfee, how am I going to convince people to pay for a subscription for anti-virus updates, when somebody else has modified the program to pull the defs off some P2P site and people can get everything for free?